From 0bfe91357cd2fd512ad6f38b78add7d8b47863fc Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 19 Sep 2023 08:47:11 -0600 Subject: [PATCH 01/13] used signer wrapper interfaces to expose the hashfunc method Signed-off-by: Meredith Lancaster --- go.mod | 36 +++++++++++------- go.sum | 91 ++++++++++++++++++-------------------------- pkg/api/api.go | 12 +++--- pkg/api/timestamp.go | 2 +- pkg/signer/file.go | 17 ++++++--- pkg/signer/memory.go | 9 +++++ pkg/signer/signer.go | 21 +++++++--- pkg/signer/tink.go | 18 ++++++++- 8 files changed, 118 insertions(+), 88 deletions(-) diff --git a/go.mod b/go.mod index 5991b8bc..064bf627 100644 --- a/go.mod +++ b/go.mod @@ -40,33 +40,43 @@ require ( sigs.k8s.io/release-utils v0.7.4 ) +replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e + +replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e + +replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e + +replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e + +replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e + require ( cloud.google.com/go v0.110.6 // indirect cloud.google.com/go/compute v1.23.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.1 // indirect - cloud.google.com/go/kms v1.15.1 // indirect + cloud.google.com/go/kms v1.15.2 // indirect cloud.google.com/go/longrunning v0.5.1 // indirect filippo.io/edwards25519 v1.0.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.45.0 // indirect + github.com/aws/aws-sdk-go v1.45.11 // indirect github.com/aws/aws-sdk-go-v2 v1.21.0 // indirect - github.com/aws/aws-sdk-go-v2/config v1.18.37 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.13.35 // indirect + github.com/aws/aws-sdk-go-v2/config v1.18.39 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.37 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 // indirect github.com/aws/smithy-go v1.14.2 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -89,8 +99,8 @@ require ( github.com/golang-jwt/jwt/v5 v5.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/go-containerregistry v0.16.1 // indirect - github.com/google/s2a-go v0.1.5 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.3.1 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -102,7 +112,7 @@ require ( github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/vault/api v1.9.2 // indirect + github.com/hashicorp/vault/api v1.10.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jellydator/ttlcache/v3 v3.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -135,17 +145,17 @@ require ( go.opentelemetry.io/otel/trace v1.14.0 // indirect go.uber.org/multierr v1.10.0 // indirect golang.org/x/crypto v0.13.0 // indirect - golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.3.0 // indirect golang.org/x/sys v0.12.0 // indirect golang.org/x/term v0.12.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.2.0 // indirect - google.golang.org/api v0.138.0 // indirect + google.golang.org/api v0.141.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 // indirect google.golang.org/grpc v1.57.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect diff --git a/go.sum b/go.sum index 175f9ac8..c34cfa7b 100644 --- a/go.sum +++ b/go.sum @@ -33,8 +33,8 @@ cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/iam v1.1.1 h1:lW7fzj15aVIXYHREOqjRBV9PsH0Z6u8Y46a1YGvQP4Y= cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.1 h1:HUC3fAoepH3RpcQXiJhXWWYizjQ5r7YjI7SO9ZbHf9s= -cloud.google.com/go/kms v1.15.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/kms v1.15.2 h1:lh6qra6oC4AyWe5fUUUBe/S27k12OHAleOOOw6KakdE= +cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI= cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -52,8 +52,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= @@ -68,19 +68,18 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.45.0 h1:qoVOQHuLacxJMO71T49KeE70zm+Tk3vtrl7XO4VUPZc= -github.com/aws/aws-sdk-go v1.45.0/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.45.11 h1:8qiSrA12+NRr+2MVpMApi3JxtiFFjDVU1NeWe+80bYg= +github.com/aws/aws-sdk-go v1.45.11/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= -github.com/aws/aws-sdk-go-v2/config v1.18.37 h1:RNAfbPqw1CstCooHaTPhScz7z1PyocQj0UL+l95CgzI= -github.com/aws/aws-sdk-go-v2/config v1.18.37/go.mod h1:8AnEFxW9/XGKCbjYDCJy7iltVNyEI9Iu9qC21UzhhgQ= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35 h1:QpsNitYJu0GgvMBLUIYu9H4yryA5kMksjeIVQfgXrt8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35/go.mod h1:o7rCaLtvK0hUggAGclf76mNGGkaG5a9KWlp+d9IpcV8= +github.com/aws/aws-sdk-go-v2/config v1.18.39 h1:oPVyh6fuu/u4OiW4qcuQyEtk7U7uuNBmHmJSLg1AJsQ= +github.com/aws/aws-sdk-go-v2/config v1.18.39/go.mod h1:+NH/ZigdPckFpgB1TRcRuWCB/Kbbvkxc/iNAKTq5RhE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.37 h1:BvEdm09+ZEh2XtN+PVHPcYwKY3wIeB6pw7vPRM4M9/U= +github.com/aws/aws-sdk-go-v2/credentials v1.13.37/go.mod h1:ACLrdkd4CLZyXOghZ8IYumQbcooAcp2jo/s2xsFH8IM= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= @@ -93,10 +92,10 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKi github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o= github.com/aws/aws-sdk-go-v2/service/kms v1.24.5 h1:VNEw+EdYDUdkICYAVQ6n9WoAq8ZuZr7dXKjyaOw94/Q= github.com/aws/aws-sdk-go-v2/service/kms v1.24.5/go.mod h1:NZEhPgq+vvmM6L9w+xl78Vf7YxqUcpVULqFdrUhHg8I= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 h1:oCvTFSDi67AX0pOX3PuPdGFewvLRU2zzFSrTsgURNo0= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6 h1:pSB560BbVj9ZlJZF4WYj5zsytWHWKxg+NgyGV4B2L58= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.6/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/smithy-go v1.14.2 h1:MJU9hqBGbvWZdApzpvoF2WAIJDbtjK2NDJSiJP7HblQ= @@ -110,7 +109,6 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -120,10 +118,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= -github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= @@ -144,7 +138,6 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a h1:yDWHCSQ40h88yih2JAcL6Ls/kVkSE8GFACTGVnMPruw= github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 h1:IeaD1VDVBPlx3viJT9Md8if8IxxJnO+x0JCGb054heg= @@ -156,7 +149,6 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU= github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -267,7 +259,6 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -303,14 +294,14 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= -github.com/google/s2a-go v0.1.5 h1:8IYp3w9nysqv3JH+NJgXJzGbDHzLOTj43BmSkp+O7qg= -github.com/google/s2a-go v0.1.5/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.2.5 h1:UR4rDjcgpgEnqpIEvkiqTYKBCKLNmlge2eVjoZfySzM= github.com/googleapis/enterprise-certificate-proxy v0.2.5/go.mod h1:RxW0N9901Cko1VOCW3SXCpWP+mlIEkk2tP7jnHy9a3w= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= @@ -318,7 +309,6 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= -github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -345,8 +335,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/vault/api v1.9.2 h1:YjkZLJ7K3inKgMZ0wzCU9OHqc+UqMQyXsPXnf3Cl2as= -github.com/hashicorp/vault/api v1.9.2/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= +github.com/hashicorp/vault/api v1.10.0 h1:/US7sIjWN6Imp4o/Rj1Ce2Nr5bki/AXi9vAW3p2tOJQ= +github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/honeycombio/beeline-go v1.10.0 h1:cUDe555oqvw8oD76BQJ8alk7FP0JZ/M/zXpNvOEDLDc= github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvznI6M3KdHc= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -393,6 +383,16 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e h1:w6W4PtdiTTFK78jlu5c6jddEMBnlv9lDLLST9l1VH4E= +github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e/go.mod h1:p9U+UbdICzTUcOzXf76yW9eVfcsltCJz2dns7W33yfM= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e h1:D5CX5aJr7oN+v2RMdTqBpk0+hiYAusRsb0rx95RA3Us= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e/go.mod h1:OLH55fLYuDRtYCZMyeN/rT9UzgcmHWd1Yo4flr6tOU0= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e h1:+6YcLScf3kCB4r7Nxr1kgtFWySluYNGw5y96kAtowD4= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e/go.mod h1:/UsuTJyJEbGtDjfFjP5a0oUskl96r8dFe4W8+FjJWnM= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e h1:+L4QH9UFPMuo1TDn7r1kRA+iwwB+1buu9nKNcFwZUDY= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e/go.mod h1:tKRTrc+5587Q2AMDAajDv1j5/1xvz3xajtqkDyLlYic= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e h1:WLFRUZvB0ySuA3Ojt1iWk+4Zz3Y5urYfHJ62YfqW6tc= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e/go.mod h1:R+gAZ3uUE3xZbmUHgL8BeAs9po1y4po6/PVwIprJU7A= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -439,7 +439,6 @@ github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= -github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= @@ -450,16 +449,6 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= -github.com/sigstore/sigstore v1.7.3 h1:HVVTfrMezJeLyl2xhJ8edzkrEGBa4KxjQZB4FlQ4JLU= -github.com/sigstore/sigstore v1.7.3/go.mod h1:cl0c7Dtg3MM3c13L8pqqrfrmBa0eM3POcdtBepjylmw= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.3 h1:HbtK8W1bl+BhUPPtpfh4bgkm5oXrtzqd6FTvFg+oor8= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.3/go.mod h1:JPLKxAUNNsuUQZUy9G3TGhfZCrUaGWa18dxJUQb2E/s= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.3 h1:dS0f3vtSfgJClJrIFKzfettFfSfygEWDd/yecLcH1uc= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.3/go.mod h1:N2GlshxHUDP3V2irRTZNgXkExAXL9y32bEK2k7jDLKo= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.3 h1:zO5OlN1DZ/f6N2Gtl72NleHv2kLudSxa9evaz1VgIKQ= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.3/go.mod h1:JVLf01VmZPBqkISIc7EDCFeTk4aFC0+uL/SXC57QhHQ= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.3 h1:IVPaj3NCCc037V2gtFISnSeebmBq1vnkKoPpNjHL3yM= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.3/go.mod h1:prbSgDAfwNix71ZKDll1Pp1EucXP7r0UGnAqQ1hcrHo= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= @@ -537,7 +526,6 @@ go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188Wl go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY= go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= -go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.step.sm/crypto v0.35.0 h1:0N6ks5n1sdv4+biJMUTdqHjpTBKKN9zNqqBdOJIyHe4= go.step.sm/crypto v0.35.0/go.mod h1:sBsrpVReoxmiLexbWL+vQRxZd6Gq4YBj/IRSUH+DZe4= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= @@ -556,7 +544,6 @@ golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I= @@ -647,8 +634,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= -golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -735,7 +722,6 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= @@ -823,8 +809,8 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0= -google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY= +google.golang.org/api v0.141.0 h1:Df6vfMgDoIM6ss0m7H4MPwFwY87WNXHfBIda/Bmfl4E= +google.golang.org/api v0.141.0/go.mod h1:iZqLkdPlXKyG0b90eu6KxVSE4D/ccRF2e/doKD2CnQQ= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -856,7 +842,6 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= @@ -874,8 +859,8 @@ google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 h1:L6iMMGrtzgHsWof google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 h1:nIgk/EEq3/YlnmVVXVnm14rC2oxgs1o0ong4sD/rd44= google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5/go.mod h1:5DZzOUPCLYL3mNkQ0ms0F3EuUNZ7py1Bqeq6sxzI7/Q= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 h1:wukfNtZmZUurLN/atp2hiIeTKn7QJWIQdHzqmsOnAOk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -889,12 +874,9 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= -google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw= google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -922,7 +904,6 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/pkg/api/api.go b/pkg/api/api.go index 40b95aa6..e3872584 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -18,7 +18,6 @@ package api import ( "bytes" "context" - "crypto" "crypto/x509" "fmt" "os" @@ -28,21 +27,22 @@ import ( "github.com/spf13/viper" "github.com/sigstore/sigstore/pkg/cryptoutils" + "github.com/sigstore/sigstore/pkg/signature/kms" "github.com/sigstore/timestamp-authority/pkg/log" "github.com/sigstore/timestamp-authority/pkg/signer" tsx509 "github.com/sigstore/timestamp-authority/pkg/x509" ) type API struct { - tsaSigner crypto.Signer // the signer to use for timestamping - certChain []*x509.Certificate // timestamping cert chain - certChainPem string // PEM encoded timestamping cert chain + tsaSigner kms.CryptoSignerWrapper // the signer to use for timestamping + certChain []*x509.Certificate // timestamping cert chain + certChainPem string // PEM encoded timestamping cert chain } func NewAPI() (*API, error) { ctx := context.Background() - tsaSigner, err := signer.NewCryptoSigner(ctx, viper.GetString("timestamp-signer"), + tsaSigner, err := signer.NewCryptoSigner(ctx, signer.SignerScheme(viper.GetString("timestamp-signer")), viper.GetString("kms-key-resource"), viper.GetString("tink-key-resource"), viper.GetString("tink-keyset-path"), viper.GetString("tink-hcvault-token"), @@ -54,7 +54,7 @@ func NewAPI() (*API, error) { var certChain []*x509.Certificate // KMS, Tink and File signers require a provided certificate chain - if viper.GetString("timestamp-signer") != signer.MemoryScheme { + if signer.SignerScheme(viper.GetString("timestamp-signer")) != signer.MemoryScheme { certChainPath := viper.GetString("certificate-chain-path") data, err := os.ReadFile(filepath.Clean(certChainPath)) if err != nil { diff --git a/pkg/api/timestamp.go b/pkg/api/timestamp.go index c4abfd36..d4f54c63 100644 --- a/pkg/api/timestamp.go +++ b/pkg/api/timestamp.go @@ -173,7 +173,7 @@ func TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.R ExtraExtensions: req.Extensions, } - resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, crypto.SHA256) + resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, api.tsaSigner.HashFunc()) if err != nil { return handleTimestampAPIError(params, http.StatusInternalServerError, err, failedToGenerateTimestampResponse) } diff --git a/pkg/signer/file.go b/pkg/signer/file.go index 604b2707..9f2634c9 100644 --- a/pkg/signer/file.go +++ b/pkg/signer/file.go @@ -28,6 +28,7 @@ import ( // File returns a file-based signer and verifier, used for local testing type File struct { crypto.Signer + hashFunc crypto.Hash } func NewFileSigner(keyPath, keyPass string) (*File, error) { @@ -35,27 +36,33 @@ func NewFileSigner(keyPath, keyPass string) (*File, error) { if err != nil { return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err) } + + signingHashFunc := crypto.SHA256 // Cannot use signature.LoadSignerVerifier because the SignerVerifier interface does not extend crypto.Signer switch pk := opaqueKey.(type) { case *rsa.PrivateKey: - signer, err := signature.LoadRSAPKCS1v15SignerVerifier(pk, crypto.SHA256) + signer, err := signature.LoadRSAPKCS1v15SignerVerifier(pk, signingHashFunc) if err != nil { return nil, err } - return &File{signer}, nil + return &File{signer, signingHashFunc}, nil case *ecdsa.PrivateKey: - signer, err := signature.LoadECDSASignerVerifier(pk, crypto.SHA256) + signer, err := signature.LoadECDSASignerVerifier(pk, signingHashFunc) if err != nil { return nil, err } - return &File{signer}, nil + return &File{signer, signingHashFunc}, nil case ed25519.PrivateKey: signer, err := signature.LoadED25519SignerVerifier(pk) if err != nil { return nil, err } - return &File{signer}, nil + return &File{signer, signingHashFunc}, nil default: return nil, fmt.Errorf("unsupported private key type, must be RSA, ECDSA, or ED25519") } } + +func (f File) HashFunc() crypto.Hash { + return f.hashFunc +} diff --git a/pkg/signer/memory.go b/pkg/signer/memory.go index 15593b78..bc25873f 100644 --- a/pkg/signer/memory.go +++ b/pkg/signer/memory.go @@ -30,6 +30,15 @@ import ( tsx509 "github.com/sigstore/timestamp-authority/pkg/x509" ) +type Memory struct { + crypto.Signer + hashFunc crypto.Hash +} + +func (m Memory) HashFunc() crypto.Hash { + return m.hashFunc +} + // NewTimestampingCertWithChain generates an in-memory certificate chain. func NewTimestampingCertWithChain(signer crypto.Signer) ([]*x509.Certificate, error) { now := time.Now() diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index 2da3912a..f8b46a7b 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -31,16 +31,25 @@ import ( _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" ) -const KMSScheme = "kms" -const TinkScheme = "tink" -const MemoryScheme = "memory" -const FileScheme = "file" +type SignerScheme string -func NewCryptoSigner(ctx context.Context, signer, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (crypto.Signer, error) { +const ( + KMSScheme SignerScheme = "kms" + TinkScheme = "tink" + MemoryScheme = "memory" + FileScheme = "file" +) + +type WrappedSigner interface { + crypto.Signer + HashFunc() crypto.Hash +} + +func NewCryptoSigner(ctx context.Context, signer SignerScheme, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (WrappedSigner, error) { switch signer { case MemoryScheme: sv, _, err := signature.NewECDSASignerVerifier(elliptic.P256(), rand.Reader, crypto.SHA256) - return sv, err + return Memory{sv, crypto.SHA256}, err case FileScheme: return NewFileSigner(fileSignerPath, fileSignerPasswd) case KMSScheme: diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go index ac7dcdab..5848cfbb 100644 --- a/pkg/signer/tink.go +++ b/pkg/signer/tink.go @@ -50,8 +50,17 @@ var ( ed25519SignerTypeURL = "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey" ) +type Tink struct { + crypto.Signer + hashFunc crypto.Hash +} + +func (t Tink) HashFunc() crypto.Hash { + return t.hashFunc +} + // NewTinkSigner creates a signer by decrypting a local Tink keyset with a remote KMS encryption key -func NewTinkSigner(ctx context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (crypto.Signer, error) { +func NewTinkSigner(ctx context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (*Tink, error) { f, err := os.Open(filepath.Clean(tinkKeysetPath)) if err != nil { return nil, err @@ -66,7 +75,12 @@ func NewTinkSigner(ctx context.Context, tinkKeysetPath string, primaryKey tink.A if err != nil { return nil, err } - return signer, nil + + t := Tink{ + signer, + crypto.SHA256, + } + return &t, nil } // GetPrimaryKey returns a Tink AEAD encryption key from KMS From 19fcd2e1d99a1437a167a1895b9195e7ca3b5b60 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 31 Oct 2023 14:51:40 -0600 Subject: [PATCH 02/13] fix compile errors Signed-off-by: Meredith Lancaster --- go.mod | 16 ++++++++-------- go.sum | 32 ++++++++++++++++---------------- pkg/api/api.go | 4 ++-- pkg/signer/signer.go | 8 ++++---- 4 files changed, 30 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index 58453f2a..70c27ffe 100644 --- a/go.mod +++ b/go.mod @@ -40,22 +40,22 @@ require ( sigs.k8s.io/release-utils v0.7.6 ) -replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e +replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c -replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e +replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c -replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e +replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c -replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e +replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c -replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e +replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c require ( cloud.google.com/go v0.110.8 // indirect cloud.google.com/go/compute v1.23.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.2 // indirect - cloud.google.com/go/kms v1.15.3 // indirect + cloud.google.com/go/kms v1.15.4 // indirect cloud.google.com/go/longrunning v0.5.1 // indirect filippo.io/edwards25519 v1.0.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 // indirect @@ -65,7 +65,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.46.3 // indirect + github.com/aws/aws-sdk-go v1.46.7 // indirect github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect @@ -134,11 +134,11 @@ require ( github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sagikazarmark/locafero v0.3.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect + github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.10.0 // indirect github.com/spf13/cast v1.5.1 // indirect github.com/subosito/gotenv v1.6.0 // indirect - github.com/theupdateframework/go-tuf v0.5.2 // indirect github.com/tidwall/pretty v1.2.0 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect go.mongodb.org/mongo-driver v1.11.3 // indirect diff --git a/go.sum b/go.sum index 5a3b0aa5..2df8a8aa 100644 --- a/go.sum +++ b/go.sum @@ -33,8 +33,8 @@ cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/iam v1.1.2 h1:gacbrBdWcoVmGLozRuStX45YKvJtzIjJdAolzUs1sm4= cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= -cloud.google.com/go/kms v1.15.3 h1:RYsbxTRmk91ydKCzekI2YjryO4c5Y2M80Zwcs9/D/cI= -cloud.google.com/go/kms v1.15.3/go.mod h1:AJdXqHxS2GlPyduM99s9iGqi2nwbviBbhV/hdmt4iOQ= +cloud.google.com/go/kms v1.15.4 h1:gEZzC54ZBI+aeW8/jg9tgz9KR4Aa+WEDPbdGIV3iJ7A= +cloud.google.com/go/kms v1.15.4/go.mod h1:L3Sdj6QTHK8dfwK5D1JLsAyELsNMnd3tAIwGS4ltKpc= cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI= cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -72,8 +72,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.46.3 h1:zcrCu14ANOji6m38bUTxYdPqne4EXIvJQ2KXZ5oi9k0= -github.com/aws/aws-sdk-go v1.46.3/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.46.7 h1:IjvAWeiJZlbETOemOwvheN5L17CvKvKW0T1xOC6d3Sc= +github.com/aws/aws-sdk-go v1.46.7/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs= @@ -398,16 +398,16 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e h1:w6W4PtdiTTFK78jlu5c6jddEMBnlv9lDLLST9l1VH4E= -github.com/malancas/sigstore v0.0.0-20230919024336-d4939b3b993e/go.mod h1:p9U+UbdICzTUcOzXf76yW9eVfcsltCJz2dns7W33yfM= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e h1:D5CX5aJr7oN+v2RMdTqBpk0+hiYAusRsb0rx95RA3Us= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20230919024336-d4939b3b993e/go.mod h1:OLH55fLYuDRtYCZMyeN/rT9UzgcmHWd1Yo4flr6tOU0= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e h1:+6YcLScf3kCB4r7Nxr1kgtFWySluYNGw5y96kAtowD4= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20230919024336-d4939b3b993e/go.mod h1:/UsuTJyJEbGtDjfFjP5a0oUskl96r8dFe4W8+FjJWnM= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e h1:+L4QH9UFPMuo1TDn7r1kRA+iwwB+1buu9nKNcFwZUDY= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20230919024336-d4939b3b993e/go.mod h1:tKRTrc+5587Q2AMDAajDv1j5/1xvz3xajtqkDyLlYic= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e h1:WLFRUZvB0ySuA3Ojt1iWk+4Zz3Y5urYfHJ62YfqW6tc= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20230919024336-d4939b3b993e/go.mod h1:R+gAZ3uUE3xZbmUHgL8BeAs9po1y4po6/PVwIprJU7A= +github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c h1:b2CpZnqe6n1R031ZanXjy2LXUA/4pMA6HJ27y3twyjg= +github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:9OCmYWhzuq/G4e1cy9m297tuMRJ1LExyrXY3ZC3Zt/s= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c h1:OhMuTlILM7k1FcOLTkCTNwz77oAhqlWTCmJNr8jh3WU= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:3pL9u1lz6w1ySi+aKBgsX1gJDyCUhK11LmetPHAUPGA= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c h1:uekPewfrD3Ds0qByJzxGFvMaNVqmGykzcHQ0HqJbuRE= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:9nJQA5YgWsXrwjrVoVaO8JfTI/TpPF+oAkpkNKZu6lo= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c h1:O2KyZSIiEA2fNqVgd2CNd1hAA7QlJbRHkiwj9i3RWeE= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:NzK4xwhukQnYPyf70yRKuIa6+TFg/boRad/GMJYOAho= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c h1:zx4cjctdObyT3vyqNzxeok/MmbdXDs//CGx9/Jizdkc= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:EI9vDWVGG8fQU9aFMY7Bd204xJiqmXcDMSkFifCf16Q= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -472,6 +472,8 @@ github.com/sagikazarmark/locafero v0.3.0 h1:zT7VEGWC2DTflmccN/5T1etyKvxSxpHsjb9c github.com/sagikazarmark/locafero v0.3.0/go.mod h1:w+v7UsPNFwzF1cHuOajOOzoq4U7v/ig1mpRjqV+Bu1U= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= +github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg= +github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= @@ -509,8 +511,6 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= -github.com/theupdateframework/go-tuf v0.5.2 h1:habfDzTmpbzBLIFGWa2ZpVhYvFBoK0C1onC3a4zuPRA= -github.com/theupdateframework/go-tuf v0.5.2/go.mod h1:SyMV5kg5n4uEclsyxXJZI2UxPFJNDc4Y+r7wv+MlvTA= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= diff --git a/pkg/api/api.go b/pkg/api/api.go index 4191ddb9..8a332900 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -36,9 +36,9 @@ import ( type API struct { tsaSigner kms.CryptoSignerWrapper // the signer to use for timestamping + tsaSignerHash crypto.Hash // hash algorithm used to hash pre-signed timestamps certChain []*x509.Certificate // timestamping cert chain certChainPem string // PEM encoded timestamping cert chain - tsaSignerHash crypto.Hash // hash algorithm used to hash pre-signed timestamps } func NewAPI() (*API, error) { @@ -49,7 +49,7 @@ func NewAPI() (*API, error) { return nil, errors.Wrap(err, "error getting hash") } tsaSigner, err := signer.NewCryptoSigner(ctx, tsaSignerHash, - viper.GetString("timestamp-signer"), + signer.SignerScheme(viper.GetString("timestamp-signer")), viper.GetString("kms-key-resource"), viper.GetString("tink-key-resource"), viper.GetString("tink-keyset-path"), viper.GetString("tink-hcvault-token"), diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index d3bfa50e..e847eb6e 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -36,9 +36,9 @@ type SignerScheme string const ( KMSScheme SignerScheme = "kms" - TinkScheme = "tink" - MemoryScheme = "memory" - FileScheme = "file" + TinkScheme SignerScheme = "tink" + MemoryScheme SignerScheme = "memory" + FileScheme SignerScheme = "file" ) type WrappedSigner interface { @@ -46,7 +46,7 @@ type WrappedSigner interface { HashFunc() crypto.Hash } -func NewCryptoSigner(ctx context.Context, signer SignerScheme, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (WrappedSigner, error) { +func NewCryptoSigner(ctx context.Context, hash crypto.Hash, signer SignerScheme, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (WrappedSigner, error) { switch signer { case MemoryScheme: sv, _, err := signature.NewECDSASignerVerifier(elliptic.P256(), rand.Reader, crypto.SHA256) From a117111840194037d86aadfcecfcfc54cb01d412 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 31 Oct 2023 14:55:49 -0600 Subject: [PATCH 03/13] use incoming hash for file kms Signed-off-by: Meredith Lancaster --- pkg/signer/file.go | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/pkg/signer/file.go b/pkg/signer/file.go index 7c93a58d..dcc88754 100644 --- a/pkg/signer/file.go +++ b/pkg/signer/file.go @@ -31,38 +31,37 @@ type File struct { hashFunc crypto.Hash } +func (f File) HashFunc() crypto.Hash { + return f.hashFunc +} + func NewFileSigner(keyPath, keyPass string, hash crypto.Hash) (*File, error) { opaqueKey, err := pemutil.Read(keyPath, pemutil.WithPassword([]byte(keyPass))) if err != nil { return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err) } - signingHashFunc := crypto.SHA256 // Cannot use signature.LoadSignerVerifier because the SignerVerifier interface does not extend crypto.Signer switch pk := opaqueKey.(type) { case *rsa.PrivateKey: - signer, err := signature.LoadRSAPKCS1v15SignerVerifier(pk, signingHashFunc) + signer, err := signature.LoadRSAPKCS1v15SignerVerifier(pk, hash) if err != nil { return nil, err } - return &File{signer, signingHashFunc}, nil + return &File{signer, hash}, nil case *ecdsa.PrivateKey: - signer, err := signature.LoadECDSASignerVerifier(pk, signingHashFunc) + signer, err := signature.LoadECDSASignerVerifier(pk, hash) if err != nil { return nil, err } - return &File{signer, signingHashFunc}, nil + return &File{signer, hash}, nil case ed25519.PrivateKey: signer, err := signature.LoadED25519SignerVerifier(pk) if err != nil { return nil, err } - return &File{signer, signingHashFunc}, nil + return &File{signer, hash}, nil default: return nil, fmt.Errorf("unsupported private key type, must be RSA, ECDSA, or ED25519") } } - -func (f File) HashFunc() crypto.Hash { - return f.hashFunc -} From 8f67c710d8dd46d6c1242f7241cd7633dc23790b Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 31 Oct 2023 17:25:02 -0600 Subject: [PATCH 04/13] use config object in CryptoSigner constructor Signed-off-by: Meredith Lancaster --- pkg/api/api.go | 17 +++++++++++------ pkg/signer/memory_test.go | 5 ++++- pkg/signer/signer.go | 24 +++++++++++++++++------- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index 8a332900..038c75e7 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -48,12 +48,17 @@ func NewAPI() (*API, error) { if err != nil { return nil, errors.Wrap(err, "error getting hash") } - tsaSigner, err := signer.NewCryptoSigner(ctx, tsaSignerHash, - signer.SignerScheme(viper.GetString("timestamp-signer")), - viper.GetString("kms-key-resource"), - viper.GetString("tink-key-resource"), viper.GetString("tink-keyset-path"), - viper.GetString("tink-hcvault-token"), - viper.GetString("file-signer-key-path"), viper.GetString("file-signer-passwd")) + + config := signer.SignerConfig{ + Scheme: signer.SignerScheme(viper.GetString("timestamp-signer")), + CloudKMSKey: viper.GetString("kms-key-resource"), + TinkKMSKey: viper.GetString("tink-key-resource"), + TinkKeysetPath: viper.GetString("tink-keyset-path"), + HCVaultToken: viper.GetString("tink-hcvault-token"), + FileSignerPath: viper.GetString("file-signer-key-path"), + FileSignerPasswd: viper.GetString("file-signer-passwd"), + } + tsaSigner, err := signer.NewCryptoSigner(ctx, tsaSignerHash, config) if err != nil { return nil, errors.Wrap(err, "getting new tsa signer") } diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go index ca03d114..cfb77721 100644 --- a/pkg/signer/memory_test.go +++ b/pkg/signer/memory_test.go @@ -30,7 +30,10 @@ import ( func TestNewTimestampingCertWithChain(t *testing.T) { ctx := context.Background() - signer, err := NewCryptoSigner(ctx, crypto.Hash(0), "memory", "", "", "", "", "", "") + config := SignerConfig{ + Scheme: MemoryScheme, + } + signer, err := NewCryptoSigner(ctx, crypto.Hash(0), config) if err != nil { t.Fatalf("new signer: %v", err) } diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index e847eb6e..b4ed186e 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -46,28 +46,38 @@ type WrappedSigner interface { HashFunc() crypto.Hash } -func NewCryptoSigner(ctx context.Context, hash crypto.Hash, signer SignerScheme, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (WrappedSigner, error) { - switch signer { +type SignerConfig struct { + Scheme SignerScheme + CloudKMSKey string + TinkKMSKey string + TinkKeysetPath string + HCVaultToken string + FileSignerPath string + FileSignerPasswd string +} + +func NewCryptoSigner(ctx context.Context, hash crypto.Hash, config SignerConfig) (WrappedSigner, error) { + switch config.Scheme { case MemoryScheme: sv, _, err := signature.NewECDSASignerVerifier(elliptic.P256(), rand.Reader, crypto.SHA256) return Memory{sv, crypto.SHA256}, err case FileScheme: - return NewFileSigner(fileSignerPath, fileSignerPasswd, hash) + return NewFileSigner(config.FileSignerPath, config.FileSignerPasswd, hash) case KMSScheme: - signer, err := kms.Get(ctx, kmsKey, hash) // hash is ignored for all KMS providers except Hashivault + signer, err := kms.Get(ctx, config.CloudKMSKey, hash) // hash is ignored for all KMS providers except Hashivault if err != nil { return nil, err } s, _, err := signer.CryptoSigner(ctx, func(err error) {}) return s, err case TinkScheme: - primaryKey, err := GetPrimaryKey(ctx, tinkKmsKey, hcVaultToken) + primaryKey, err := GetPrimaryKey(ctx, config.TinkKMSKey, config.HCVaultToken) if err != nil { return nil, err } - return NewTinkSigner(ctx, tinkKeysetPath, primaryKey) + return NewTinkSigner(ctx, config.TinkKeysetPath, primaryKey) default: - return nil, fmt.Errorf("unsupported signer type: %s", signer) + return nil, fmt.Errorf("unsupported signer type: %s", config.Scheme) } } From 0791b05c94c4a37f382ec031966aa4f0fc8e35e3 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 31 Oct 2023 17:26:49 -0600 Subject: [PATCH 05/13] remove unused field Signed-off-by: Meredith Lancaster --- pkg/api/api.go | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index 038c75e7..4e6744d3 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -18,7 +18,6 @@ package api import ( "bytes" "context" - "crypto" "crypto/x509" "fmt" "os" @@ -35,10 +34,9 @@ import ( ) type API struct { - tsaSigner kms.CryptoSignerWrapper // the signer to use for timestamping - tsaSignerHash crypto.Hash // hash algorithm used to hash pre-signed timestamps - certChain []*x509.Certificate // timestamping cert chain - certChainPem string // PEM encoded timestamping cert chain + tsaSigner kms.CryptoSignerWrapper // the signer to use for timestamping + certChain []*x509.Certificate // timestamping cert chain + certChainPem string // PEM encoded timestamping cert chain } func NewAPI() (*API, error) { @@ -93,10 +91,9 @@ func NewAPI() (*API, error) { } return &API{ - tsaSigner: tsaSigner, - tsaSignerHash: tsaSignerHash, - certChain: certChain, - certChainPem: string(certChainPEM), + tsaSigner: tsaSigner, + certChain: certChain, + certChainPem: string(certChainPEM), }, nil } From 7633d99676c5ea40bc27aaeb669d5f556f1af423 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 31 Oct 2023 17:29:00 -0600 Subject: [PATCH 06/13] keep unused arg unnamed Signed-off-by: Meredith Lancaster --- pkg/signer/tink.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go index 5848cfbb..aefb55d7 100644 --- a/pkg/signer/tink.go +++ b/pkg/signer/tink.go @@ -60,7 +60,7 @@ func (t Tink) HashFunc() crypto.Hash { } // NewTinkSigner creates a signer by decrypting a local Tink keyset with a remote KMS encryption key -func NewTinkSigner(ctx context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (*Tink, error) { +func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (*Tink, error) { f, err := os.Open(filepath.Clean(tinkKeysetPath)) if err != nil { return nil, err From 51dde03ec4f98cc294c631b7c624c7d0e1ca5069 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 29 Nov 2023 20:07:18 -0700 Subject: [PATCH 07/13] get the hash func name when creating signer from key handle Signed-off-by: Meredith Lancaster --- cmd/fetch-tsa-certs/fetch_tsa_certs.go | 2 +- pkg/signer/tink.go | 37 +++++++++++------ pkg/signer/tink_test.go | 57 ++++++++++++++++++++++++-- 3 files changed, 80 insertions(+), 16 deletions(-) diff --git a/cmd/fetch-tsa-certs/fetch_tsa_certs.go b/cmd/fetch-tsa-certs/fetch_tsa_certs.go index 012cccd7..8a75ade5 100644 --- a/cmd/fetch-tsa-certs/fetch_tsa_certs.go +++ b/cmd/fetch-tsa-certs/fetch_tsa_certs.go @@ -195,7 +195,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf if err != nil { return nil, err } - leafKMSSigner, err = signer.KeyHandleToSigner(kh) + leafKMSSigner, _, err = signer.KeyHandleToSigner(kh) if err != nil { return nil, err } diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go index aefb55d7..66dd24d4 100644 --- a/pkg/signer/tink.go +++ b/pkg/signer/tink.go @@ -71,18 +71,31 @@ func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEA if err != nil { return nil, err } - signer, err := KeyHandleToSigner(kh) + signer, hashName, err := KeyHandleToSigner(kh) if err != nil { return nil, err } t := Tink{ signer, - crypto.SHA256, + getHashFromName(hashName), } return &t, nil } +func getHashFromName(name string) crypto.Hash { + lowercaseAlg := strings.ToLower(name) + switch lowercaseAlg { + case "SHA256": + return crypto.SHA256 + case "SHA512": + return crypto.SHA512 + case "SHA384": + return crypto.SHA384 + } + return crypto.Hash(0) +} + // GetPrimaryKey returns a Tink AEAD encryption key from KMS // Supports GCP, AWS, and Vault func GetPrimaryKey(ctx context.Context, kmsKey, hcVaultToken string) (tink.AEAD, error) { @@ -115,13 +128,13 @@ func GetPrimaryKey(ctx context.Context, kmsKey, hcVaultToken string) (tink.AEAD, // KeyHandleToSigner converts a key handle to the crypto.Signer interface. // Heavily pulls from Tink's signature and subtle packages. -func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) { +func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, string, error) { // extract the key material from the key handle ks := insecurecleartextkeyset.KeysetMaterial(kh) k := getPrimaryKey(ks) if k == nil { - return nil, errors.New("no enabled key found in keyset") + return nil, "", errors.New("no enabled key found in keyset") } switch k.GetTypeUrl() { @@ -129,33 +142,33 @@ func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) { // https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/ecdsa_signer_key_manager.go#L48 privKey := new(ecdsapb.EcdsaPrivateKey) if err := proto.Unmarshal(k.GetValue(), privKey); err != nil { - return nil, fmt.Errorf("error unmarshalling ecdsa private key: %w", err) + return nil, "", fmt.Errorf("error unmarshalling ecdsa private key: %w", err) } if err := validateEcdsaPrivKey(privKey); err != nil { - return nil, fmt.Errorf("error validating ecdsa private key: %w", err) + return nil, "", fmt.Errorf("error validating ecdsa private key: %w", err) } // https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/subtle/ecdsa_signer.go#L39 - _, curve, _ := getECDSAParamNames(privKey.PublicKey.Params) + hashName, curve, _ := getECDSAParamNames(privKey.PublicKey.Params) p := new(ecdsa.PrivateKey) c := subtle.GetCurve(curve) p.PublicKey.Curve = c p.D = new(big.Int).SetBytes(privKey.GetKeyValue()) p.PublicKey.X, p.PublicKey.Y = c.ScalarBaseMult(privKey.GetKeyValue()) - return p, nil + return p, hashName, nil case ed25519SignerTypeURL: // https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/ed25519_signer_key_manager.go#L47 privKey := new(ed25519pb.Ed25519PrivateKey) if err := proto.Unmarshal(k.GetValue(), privKey); err != nil { - return nil, fmt.Errorf("error unmarshalling ed25519 private key: %w", err) + return nil, "", fmt.Errorf("error unmarshalling ed25519 private key: %w", err) } if err := validateEd25519PrivKey(privKey); err != nil { - return nil, fmt.Errorf("error validating ed25519 private key: %w", err) + return nil, "", fmt.Errorf("error validating ed25519 private key: %w", err) } // https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/subtle/ed25519_signer.go#L29 p := ed25519.NewKeyFromSeed(privKey.GetKeyValue()) - return p, nil + return p, "", nil default: - return nil, fmt.Errorf("unsupported key type: %s", k.GetTypeUrl()) + return nil, "", fmt.Errorf("unsupported key type: %s", k.GetTypeUrl()) } } diff --git a/pkg/signer/tink_test.go b/pkg/signer/tink_test.go index d08338c5..cdc628b1 100644 --- a/pkg/signer/tink_test.go +++ b/pkg/signer/tink_test.go @@ -16,6 +16,7 @@ package signer import ( "context" + "crypto" "crypto/ecdsa" "crypto/ed25519" "crypto/rand" @@ -53,7 +54,7 @@ func TestNewTinkSigner(t *testing.T) { if err != nil { t.Fatalf("error creating ECDSA key handle: %v", err) } - khsigner, err := KeyHandleToSigner(kh) + khsigner, _, err := KeyHandleToSigner(kh) if err != nil { t.Fatalf("error converting ECDSA key handle to signer: %v", err) } @@ -116,10 +117,11 @@ func TestKeyHandleToSignerECDSA(t *testing.T) { t.Fatalf("error creating ECDSA key handle: %v", err) } // convert to crypto.Signer interface - signer, err := KeyHandleToSigner(kh) + signer, _, err := KeyHandleToSigner(kh) if err != nil { t.Fatalf("error converting ECDSA key handle to signer: %v", err) } + msg := []byte("hello there") // sign with key handle, verify with signer public key @@ -162,7 +164,7 @@ func TestKeyHandleToSignerED25519(t *testing.T) { t.Fatalf("error creating ED25519 key handle: %v", err) } // convert to crypto.Signer interface - signer, err := KeyHandleToSigner(kh) + signer, _, err := KeyHandleToSigner(kh) if err != nil { t.Fatalf("error converting ED25519 key handle to signer: %v", err) } @@ -198,3 +200,52 @@ func TestKeyHandleToSignerED25519(t *testing.T) { t.Fatalf("error verifying with tink verifier: %v", err) } } + +type keyHandleTest struct { + keyTemplate *tink_go_proto.KeyTemplate + h hash.Hash + expectedHashName string + expectHashFunc crypto.Hash +} + +func TestKeyHandleToSigner(t *testing.T) { + supportedKeyTypes := []keyHandleTest{ + { + keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), + h: sha256.New(), + expectedHashName: "SHA256", + expectHashFunc: crypto.SHA256, + }, + { + keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), + h: sha512.New384(), + expectedHashName: "SHA512", + expectHashFunc: crypto.SHA384, + }, + { + keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), + h: sha512.New(), + expectedHashName: "SHA512", + expectHashFunc: crypto.SHA512, + }, + } + for _, kt := range supportedKeyTypes { + kh, err := keyset.NewHandle(kt.keyTemplate) + if err != nil { + t.Fatalf("error creating ECDSA key handle: %v", err) + } + + _, hashName, err := KeyHandleToSigner(kh) + if err != nil { + t.Fatalf("error creating signer from ECDSA key template: %v", err) + } + + if hashName != kt.expectedHashName { + t.Fatalf("expected hash name %s, got %s", kt.expectedHashName, hashName) + } + + // if signer.HashFunc() != kt.expectHashFunc { + // t.Fatalf("expected hash func %v, got %v", kt.expectHashFunc, signer.HashFunc()) + // } + } +} From d306b277cb22e985232bbc8e86193bf665b9ea4d Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 29 Nov 2023 20:21:35 -0700 Subject: [PATCH 08/13] test the TinkSigner HashFunc method Signed-off-by: Meredith Lancaster --- pkg/signer/tink.go | 8 +-- pkg/signer/tink_test.go | 125 +++++++++++++++++++++++----------------- 2 files changed, 77 insertions(+), 56 deletions(-) diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go index 66dd24d4..598474b5 100644 --- a/pkg/signer/tink.go +++ b/pkg/signer/tink.go @@ -86,12 +86,12 @@ func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEA func getHashFromName(name string) crypto.Hash { lowercaseAlg := strings.ToLower(name) switch lowercaseAlg { - case "SHA256": + case "sha256": return crypto.SHA256 - case "SHA512": - return crypto.SHA512 - case "SHA384": + case "sha384": return crypto.SHA384 + case "sha512": + return crypto.SHA512 } return crypto.Hash(0) } diff --git a/pkg/signer/tink_test.go b/pkg/signer/tink_test.go index cdc628b1..8ce7e294 100644 --- a/pkg/signer/tink_test.go +++ b/pkg/signer/tink_test.go @@ -41,58 +41,86 @@ type TestStruct struct { h hash.Hash } + + func TestNewTinkSigner(t *testing.T) { - aeskh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate()) - if err != nil { - t.Fatalf("error creating AEAD key handle: %v", err) - } - a, err := aead.New(aeskh) - if err != nil { - t.Fatalf("error creating AEAD key: %v", err) - } - kh, err := keyset.NewHandle(signature.ECDSAP256KeyTemplate()) - if err != nil { - t.Fatalf("error creating ECDSA key handle: %v", err) - } - khsigner, _, err := KeyHandleToSigner(kh) - if err != nil { - t.Fatalf("error converting ECDSA key handle to signer: %v", err) + type newTinkSignerTest struct { + keyTemplate *tink_go_proto.KeyTemplate + expectedHashFunc crypto.Hash } - dir := t.TempDir() - keysetPath := filepath.Join(dir, "keyset.json.enc") - f, err := os.Create(keysetPath) - if err != nil { - t.Fatalf("error creating file: %v", err) - } - defer f.Close() - jsonWriter := keyset.NewJSONWriter(f) - if err := kh.Write(jsonWriter, a); err != nil { - t.Fatalf("error writing enc keyset: %v", err) + supportedKeyTypes := []newTinkSignerTest{ + { + keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA256, + }, + { + keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA512, + }, + { + keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA512, + }, } - signer, err := NewTinkSigner(context.TODO(), keysetPath, a) - if err != nil { - t.Fatalf("unexpected error creating Tink signer: %v", err) - } + for _, kt := range supportedKeyTypes { + aeskh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate()) + if err != nil { + t.Fatalf("error creating AEAD key handle: %v", err) + } + a, err := aead.New(aeskh) + if err != nil { + t.Fatalf("error creating AEAD key: %v", err) + } + kh, err := keyset.NewHandle(kt.keyTemplate) + if err != nil { + t.Fatalf("error creating ECDSA key handle: %v", err) + } + khsigner, _, err := KeyHandleToSigner(kh) + if err != nil { + t.Fatalf("error converting ECDSA key handle to signer: %v", err) + } - // Expect signer and key handle's public keys match - if err := cryptoutils.EqualKeys(signer.Public(), khsigner.Public()); err != nil { - t.Fatalf("keys of signer and key handle do not match: %v", err) - } + dir := t.TempDir() + keysetPath := filepath.Join(dir, "keyset.json.enc") + f, err := os.Create(keysetPath) + if err != nil { + t.Fatalf("error creating file: %v", err) + } + defer f.Close() + jsonWriter := keyset.NewJSONWriter(f) + if err := kh.Write(jsonWriter, a); err != nil { + t.Fatalf("error writing enc keyset: %v", err) + } - // Failure: Unable to decrypt keyset - aeskh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate()) - if err != nil { - t.Fatalf("error creating AEAD key handle: %v", err) - } - a1, err := aead.New(aeskh1) - if err != nil { - t.Fatalf("error creating AEAD key: %v", err) - } - _, err = NewTinkSigner(context.TODO(), keysetPath, a1) - if err == nil || !strings.Contains(err.Error(), "decryption failed") { - t.Fatalf("expected error decrypting keyset, got %v", err) + signer, err := NewTinkSigner(context.TODO(), keysetPath, a) + if err != nil { + t.Fatalf("unexpected error creating Tink signer: %v", err) + } + + if signer.HashFunc() != kt.expectedHashFunc { + t.Fatalf("unexpected hash function: %v", signer.HashFunc()) + } + + // Expect signer and key handle's public keys match + if err := cryptoutils.EqualKeys(signer.Public(), khsigner.Public()); err != nil { + t.Fatalf("keys of signer and key handle do not match: %v", err) + } + + // Failure: Unable to decrypt keyset + aeskh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate()) + if err != nil { + t.Fatalf("error creating AEAD key handle: %v", err) + } + a1, err := aead.New(aeskh1) + if err != nil { + t.Fatalf("error creating AEAD key: %v", err) + } + _, err = NewTinkSigner(context.TODO(), keysetPath, a1) + if err == nil || !strings.Contains(err.Error(), "decryption failed") { + t.Fatalf("expected error decrypting keyset, got %v", err) + } } } @@ -214,19 +242,16 @@ func TestKeyHandleToSigner(t *testing.T) { keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), h: sha256.New(), expectedHashName: "SHA256", - expectHashFunc: crypto.SHA256, }, { keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), h: sha512.New384(), expectedHashName: "SHA512", - expectHashFunc: crypto.SHA384, }, { keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), h: sha512.New(), expectedHashName: "SHA512", - expectHashFunc: crypto.SHA512, }, } for _, kt := range supportedKeyTypes { @@ -243,9 +268,5 @@ func TestKeyHandleToSigner(t *testing.T) { if hashName != kt.expectedHashName { t.Fatalf("expected hash name %s, got %s", kt.expectedHashName, hashName) } - - // if signer.HashFunc() != kt.expectHashFunc { - // t.Fatalf("expected hash func %v, got %v", kt.expectHashFunc, signer.HashFunc()) - // } } } From b20a24a4ad70565815b27ca6d6839b868982bc3b Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 29 Nov 2023 20:32:13 -0700 Subject: [PATCH 09/13] clean up tests Signed-off-by: Meredith Lancaster --- pkg/signer/tink_test.go | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/pkg/signer/tink_test.go b/pkg/signer/tink_test.go index 8ce7e294..e3b671e5 100644 --- a/pkg/signer/tink_test.go +++ b/pkg/signer/tink_test.go @@ -36,20 +36,13 @@ import ( "github.com/google/tink/go/signature" ) -type TestStruct struct { - keyTemplate *tink_go_proto.KeyTemplate - h hash.Hash -} - - - func TestNewTinkSigner(t *testing.T) { - type newTinkSignerTest struct { + type testcase struct { keyTemplate *tink_go_proto.KeyTemplate expectedHashFunc crypto.Hash } - supportedKeyTypes := []newTinkSignerTest{ + supportedKeyTypes := []testcase{ { keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), expectedHashFunc: crypto.SHA256, @@ -125,7 +118,12 @@ func TestNewTinkSigner(t *testing.T) { } func TestKeyHandleToSignerECDSA(t *testing.T) { - supportedKeyTypes := []TestStruct{ + type testcase struct { + keyTemplate *tink_go_proto.KeyTemplate + h hash.Hash + } + + supportedKeyTypes := []testcase{ { keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), h: sha256.New(), @@ -229,28 +227,23 @@ func TestKeyHandleToSignerED25519(t *testing.T) { } } -type keyHandleTest struct { - keyTemplate *tink_go_proto.KeyTemplate - h hash.Hash - expectedHashName string - expectHashFunc crypto.Hash -} - func TestKeyHandleToSigner(t *testing.T) { - supportedKeyTypes := []keyHandleTest{ + type testcase struct { + keyTemplate *tink_go_proto.KeyTemplate + expectedHashName string + } + + supportedKeyTypes := []testcase{ { keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), - h: sha256.New(), expectedHashName: "SHA256", }, { keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), - h: sha512.New384(), expectedHashName: "SHA512", }, { keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), - h: sha512.New(), expectedHashName: "SHA512", }, } @@ -260,11 +253,15 @@ func TestKeyHandleToSigner(t *testing.T) { t.Fatalf("error creating ECDSA key handle: %v", err) } - _, hashName, err := KeyHandleToSigner(kh) + signer, hashName, err := KeyHandleToSigner(kh) if err != nil { t.Fatalf("error creating signer from ECDSA key template: %v", err) } + if signer == nil { + t.Fatalf("expected signer to be non-nil") + } + if hashName != kt.expectedHashName { t.Fatalf("expected hash name %s, got %s", kt.expectedHashName, hashName) } From fb69efcf332ba0648364de646ff8bf2dc0ec2f7f Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 30 Nov 2023 11:43:15 -0700 Subject: [PATCH 10/13] fix linter errors Signed-off-by: Meredith Lancaster --- pkg/api/api.go | 6 +++--- pkg/signer/memory_test.go | 2 +- pkg/signer/signer.go | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index 4e6744d3..2996c0d3 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -47,8 +47,8 @@ func NewAPI() (*API, error) { return nil, errors.Wrap(err, "error getting hash") } - config := signer.SignerConfig{ - Scheme: signer.SignerScheme(viper.GetString("timestamp-signer")), + config := signer.Config{ + Scheme: signer.Scheme(viper.GetString("timestamp-signer")), CloudKMSKey: viper.GetString("kms-key-resource"), TinkKMSKey: viper.GetString("tink-key-resource"), TinkKeysetPath: viper.GetString("tink-keyset-path"), @@ -64,7 +64,7 @@ func NewAPI() (*API, error) { var certChain []*x509.Certificate // KMS, Tink and File signers require a provided certificate chain - if signer.SignerScheme(viper.GetString("timestamp-signer")) != signer.MemoryScheme { + if signer.Scheme(viper.GetString("timestamp-signer")) != signer.MemoryScheme { certChainPath := viper.GetString("certificate-chain-path") data, err := os.ReadFile(filepath.Clean(certChainPath)) if err != nil { diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go index cfb77721..b83aba2c 100644 --- a/pkg/signer/memory_test.go +++ b/pkg/signer/memory_test.go @@ -30,7 +30,7 @@ import ( func TestNewTimestampingCertWithChain(t *testing.T) { ctx := context.Background() - config := SignerConfig{ + config := Config{ Scheme: MemoryScheme, } signer, err := NewCryptoSigner(ctx, crypto.Hash(0), config) diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index b4ed186e..5c31bcd5 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -32,13 +32,13 @@ import ( _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" ) -type SignerScheme string +type Scheme string const ( - KMSScheme SignerScheme = "kms" - TinkScheme SignerScheme = "tink" - MemoryScheme SignerScheme = "memory" - FileScheme SignerScheme = "file" + KMSScheme Scheme = "kms" + TinkScheme Scheme = "tink" + MemoryScheme Scheme = "memory" + FileScheme Scheme = "file" ) type WrappedSigner interface { @@ -46,8 +46,8 @@ type WrappedSigner interface { HashFunc() crypto.Hash } -type SignerConfig struct { - Scheme SignerScheme +type Config struct { + Scheme Scheme CloudKMSKey string TinkKMSKey string TinkKeysetPath string @@ -56,7 +56,7 @@ type SignerConfig struct { FileSignerPasswd string } -func NewCryptoSigner(ctx context.Context, hash crypto.Hash, config SignerConfig) (WrappedSigner, error) { +func NewCryptoSigner(ctx context.Context, hash crypto.Hash, config Config) (WrappedSigner, error) { switch config.Scheme { case MemoryScheme: sv, _, err := signature.NewECDSASignerVerifier(elliptic.P256(), rand.Reader, crypto.SHA256) From 44829e9fa3b2b401143bb573447742230f79ecda Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 30 Nov 2023 11:56:06 -0700 Subject: [PATCH 11/13] gofmt Signed-off-by: Meredith Lancaster --- pkg/signer/tink_test.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/signer/tink_test.go b/pkg/signer/tink_test.go index e3b671e5..84ae0262 100644 --- a/pkg/signer/tink_test.go +++ b/pkg/signer/tink_test.go @@ -38,22 +38,22 @@ import ( func TestNewTinkSigner(t *testing.T) { type testcase struct { - keyTemplate *tink_go_proto.KeyTemplate + keyTemplate *tink_go_proto.KeyTemplate expectedHashFunc crypto.Hash } supportedKeyTypes := []testcase{ { - keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), - expectedHashFunc: crypto.SHA256, + keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA256, }, { - keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), - expectedHashFunc: crypto.SHA512, + keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA512, }, { - keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), - expectedHashFunc: crypto.SHA512, + keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), + expectedHashFunc: crypto.SHA512, }, } @@ -229,21 +229,21 @@ func TestKeyHandleToSignerED25519(t *testing.T) { func TestKeyHandleToSigner(t *testing.T) { type testcase struct { - keyTemplate *tink_go_proto.KeyTemplate + keyTemplate *tink_go_proto.KeyTemplate expectedHashName string } supportedKeyTypes := []testcase{ { - keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), + keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(), expectedHashName: "SHA256", }, { - keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), + keyTemplate: signature.ECDSAP384KeyWithoutPrefixTemplate(), expectedHashName: "SHA512", }, { - keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), + keyTemplate: signature.ECDSAP521KeyWithoutPrefixTemplate(), expectedHashName: "SHA512", }, } From 124ac711a9dbf658f075d116e240b1cd333fb721 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 4 Dec 2023 17:04:55 -0700 Subject: [PATCH 12/13] update replaced module Signed-off-by: Meredith Lancaster --- go.mod | 41 +++++++++++++++-------------- go.sum | 83 +++++++++++++++++++++++++++++----------------------------- 2 files changed, 63 insertions(+), 61 deletions(-) diff --git a/go.mod b/go.mod index ab3d7278..954bfc9e 100644 --- a/go.mod +++ b/go.mod @@ -40,15 +40,15 @@ require ( sigs.k8s.io/release-utils v0.7.7 ) -replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c +replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0 -replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c +replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0 -replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c +replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0 -replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c +replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0 -replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c +replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0 require ( cloud.google.com/go v0.110.10 // indirect @@ -65,20 +65,21 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go v1.48.7 // indirect - github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect - github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect - github.com/aws/smithy-go v1.15.0 // indirect + github.com/aws/aws-sdk-go v1.48.11 // indirect + github.com/aws/aws-sdk-go-v2 v1.23.5 // indirect + github.com/aws/aws-sdk-go-v2/config v1.25.11 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.16.9 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.27.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 // indirect + github.com/aws/smithy-go v1.18.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -148,7 +149,7 @@ require ( go.uber.org/multierr v1.10.0 // indirect golang.org/x/crypto v0.16.0 // indirect golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect - golang.org/x/oauth2 v0.14.0 // indirect + golang.org/x/oauth2 v0.15.0 // indirect golang.org/x/sync v0.5.0 // indirect golang.org/x/sys v0.15.0 // indirect golang.org/x/term v0.15.0 // indirect diff --git a/go.sum b/go.sum index 794ba237..3786758e 100644 --- a/go.sum +++ b/go.sum @@ -72,34 +72,36 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.48.7 h1:gDcOhmkohlNk20j0uWpko5cLBbwSkB+xpkshQO45F7Y= -github.com/aws/aws-sdk-go v1.48.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= -github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= -github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs= -github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= -github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY= -github.com/aws/aws-sdk-go-v2/service/kms v1.24.7/go.mod h1:z3O9CXfVrKAV3c9fMWOUUv2C6N2ggXCDHeXpOB6lAEk= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= -github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= -github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= -github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= -github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/aws-sdk-go v1.48.11 h1:9YbiSbaF/jWi+qLRl+J5dEhr2mcbDYHmKg2V7RBcD5M= +github.com/aws/aws-sdk-go v1.48.11/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go-v2 v1.23.5 h1:xK6C4udTyDMd82RFvNkDQxtAd00xlzFUtX4fF2nMZyg= +github.com/aws/aws-sdk-go-v2 v1.23.5/go.mod h1:t3szzKfP0NeRU27uBFczDivYJjsmSnqI8kIvKyWb9ds= +github.com/aws/aws-sdk-go-v2/config v1.25.11 h1:RWzp7jhPRliIcACefGkKp03L0Yofmd2p8M25kbiyvno= +github.com/aws/aws-sdk-go-v2/config v1.25.11/go.mod h1:BVUs0chMdygHsQtvaMyEOpW2GIW+ubrxJLgIz/JU29s= +github.com/aws/aws-sdk-go-v2/credentials v1.16.9 h1:LQo3MUIOzod9JdUK+wxmSdgzLVYUbII3jXn3S/HJZU0= +github.com/aws/aws-sdk-go-v2/credentials v1.16.9/go.mod h1:R7mDuIJoCjH6TxGUc/cylE7Lp/o0bhKVoxdBThsjqCM= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 h1:FZVFahMyZle6WcogZCOxo6D/lkDA2lqKIn4/ueUmVXw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9/go.mod h1:kjq7REMIkxdtcEC9/4BVXjOsNY5isz6jQbEgk6osRTU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 h1:8GVZIR0y6JRIUNSYI1xAMF4HDfV8H/bOsZ/8AD/uY5Q= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8/go.mod h1:rwBfu0SoUkBUZndVgPZKAD9Y2JigaZtRP68unRiYToQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 h1:ZE2ds/qeBkhk3yqYvS3CDCFNvd9ir5hMjlVStLZWrvM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8/go.mod h1:/lAPPymDYL023+TS6DJmjuL42nxix2AvEvfjqOBRODk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 h1:uR9lXYjdPX0xY+NhvaJ4dD8rpSRz5VY81ccIIoNG+lw= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 h1:e3PCNeEaev/ZF01cQyNZgmYE9oYYePIMJs2mWSKG514= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3/go.mod h1:gIeeNyaL8tIEqZrzAnTeyhHcE0yysCtcaP+N9kxLZ+E= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 h1:EamsKe+ZjkOQjDdHd86/JCEucjFKQ9T0atWKO4s2Lgs= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8/go.mod h1:Q0vV3/csTpbkfKLI5Sb56cJQTCTtJ0ixdb7P+Wedqiw= +github.com/aws/aws-sdk-go-v2/service/kms v1.27.2 h1:I0NiSQiZu1UzP0akJWXSacjckEpYdN4VN7XYYfW6EYs= +github.com/aws/aws-sdk-go-v2/service/kms v1.27.2/go.mod h1:E2IzqbIZfYuYUgib2KxlaweBbkxHCb3ZIgnp85TjKic= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 h1:xJPydhNm0Hiqct5TVKEuHG7weC0+sOs4MUnd7A5n5F4= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.2/go.mod h1:zxk6y1X2KXThESWMS5CrKRvISD8mbIMab6nZrCGxDG0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 h1:8dU9zqA77C5egbU6yd4hFLaiIdPv3rU+6cp7sz5FjCU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2/go.mod h1:7Lt5mjQ8x5rVdKqg+sKKDeuwoszDJIIPmkd8BVsEdS0= +github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 h1:fFrLsy08wEbAisqW3KDl/cPHrF43GmV79zXB9EwJiZw= +github.com/aws/aws-sdk-go-v2/service/sts v1.26.2/go.mod h1:7Ld9eTqocTvJqqJ5K/orbSDwmGcpRdlDiLjz2DO+SL8= +github.com/aws/smithy-go v1.18.1 h1:pOdBTUfXNazOlxLrgeYalVnuTpKreACHtc62xLwIB3c= +github.com/aws/smithy-go v1.18.1/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/beevik/ntp v1.3.0 h1:/w5VhpW5BGKS37vFm1p9oVk/t4HnnkKZAZIubHM6F7Q= github.com/beevik/ntp v1.3.0/go.mod h1:vD6h1um4kzXpqmLTuu0cCLcC+NfvC0IC+ltmEDA8E78= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -284,7 +286,6 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ= @@ -398,16 +399,16 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c h1:b2CpZnqe6n1R031ZanXjy2LXUA/4pMA6HJ27y3twyjg= -github.com/malancas/sigstore v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:9OCmYWhzuq/G4e1cy9m297tuMRJ1LExyrXY3ZC3Zt/s= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c h1:OhMuTlILM7k1FcOLTkCTNwz77oAhqlWTCmJNr8jh3WU= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:3pL9u1lz6w1ySi+aKBgsX1gJDyCUhK11LmetPHAUPGA= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c h1:uekPewfrD3Ds0qByJzxGFvMaNVqmGykzcHQ0HqJbuRE= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:9nJQA5YgWsXrwjrVoVaO8JfTI/TpPF+oAkpkNKZu6lo= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c h1:O2KyZSIiEA2fNqVgd2CNd1hAA7QlJbRHkiwj9i3RWeE= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:NzK4xwhukQnYPyf70yRKuIa6+TFg/boRad/GMJYOAho= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c h1:zx4cjctdObyT3vyqNzxeok/MmbdXDs//CGx9/Jizdkc= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231031155517-ba36e0d7114c/go.mod h1:EI9vDWVGG8fQU9aFMY7Bd204xJiqmXcDMSkFifCf16Q= +github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0 h1:fVqtTOUAfYnyYLGv6Q80tOH5uy8g78WLd9CQ7WnHJ08= +github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0 h1:vuLAdydfQ9tG0QFqvz8Su8NADF037O6MiQ0GtBzTtRI= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0/go.mod h1:3zOHOLHnCE6EXyVH+6Z/lC9O1RDsbmR045NQ1DogiHw= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0 h1:U3Lc/lGey+W8vlmaZqtVqVHAmikrmkLR2MuwDvfzSEw= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0/go.mod h1:LH+ct6D77J8Ks6PXijMYYhmlQ1mbqKHbmy7+Sw5/Woc= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0 h1:OKhsTfq/QEtu8sStW4oNEZwjPbMR6dn7nyQv0k+8rsg= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0/go.mod h1:Hwhlx8JSZJF1R27JlwW/Bl2h40reG3MfKANREtBI0L8= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0 h1:1r4JDv4pqChgSMj6H+c8eBTywQ66NvpTet1o23cJsBY= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0/go.mod h1:/l/PzSbTOuIAtglOwUdlzzYvjIZ2WyaBpt5722JTmLY= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -662,8 +663,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0= -golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM= +golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= +golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 011e9eeedd0fe2ac51558f9c313189c919068345 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 5 Dec 2023 20:19:34 -0700 Subject: [PATCH 13/13] use updated kms client code Signed-off-by: Meredith Lancaster --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- pkg/api/api.go | 3 +-- pkg/signer/signer.go | 16 ++++++++++++++-- 4 files changed, 30 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 954bfc9e..3b57786a 100644 --- a/go.mod +++ b/go.mod @@ -40,15 +40,15 @@ require ( sigs.k8s.io/release-utils v0.7.7 ) -replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0 +replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c -replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0 +replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c -replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0 +replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c -replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0 +replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c -replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0 +replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c require ( cloud.google.com/go v0.110.10 // indirect diff --git a/go.sum b/go.sum index 3786758e..f5b2f6d9 100644 --- a/go.sum +++ b/go.sum @@ -399,16 +399,16 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0 h1:fVqtTOUAfYnyYLGv6Q80tOH5uy8g78WLd9CQ7WnHJ08= -github.com/malancas/sigstore v0.0.0-20231204203429-078bde7980e0/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0 h1:vuLAdydfQ9tG0QFqvz8Su8NADF037O6MiQ0GtBzTtRI= -github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231204203429-078bde7980e0/go.mod h1:3zOHOLHnCE6EXyVH+6Z/lC9O1RDsbmR045NQ1DogiHw= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0 h1:U3Lc/lGey+W8vlmaZqtVqVHAmikrmkLR2MuwDvfzSEw= -github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231204203429-078bde7980e0/go.mod h1:LH+ct6D77J8Ks6PXijMYYhmlQ1mbqKHbmy7+Sw5/Woc= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0 h1:OKhsTfq/QEtu8sStW4oNEZwjPbMR6dn7nyQv0k+8rsg= -github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231204203429-078bde7980e0/go.mod h1:Hwhlx8JSZJF1R27JlwW/Bl2h40reG3MfKANREtBI0L8= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0 h1:1r4JDv4pqChgSMj6H+c8eBTywQ66NvpTet1o23cJsBY= -github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231204203429-078bde7980e0/go.mod h1:/l/PzSbTOuIAtglOwUdlzzYvjIZ2WyaBpt5722JTmLY= +github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c h1:V3NMY5gJJB901liy3e5IjMLTLqeiziHBRsKVVXg8bOg= +github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c h1:hgdNICpzmn9rGFmSwOryooOscYanM4vsX7KQQzQFBLc= +github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c/go.mod h1:3zOHOLHnCE6EXyVH+6Z/lC9O1RDsbmR045NQ1DogiHw= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c h1:5TE5NfEiQ+xVi6r+HfH8ILcE6FQCSSyYEboay6JWBSA= +github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c/go.mod h1:LH+ct6D77J8Ks6PXijMYYhmlQ1mbqKHbmy7+Sw5/Woc= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c h1:/Z42a+cxoa9zAPmIiVakeITFpaFyAoNEbBVLbuLx898= +github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c/go.mod h1:Hwhlx8JSZJF1R27JlwW/Bl2h40reG3MfKANREtBI0L8= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c h1:LvGdjfm+9LdQIEegxysv7+8UDOFYrtNfA+nJFKcIJ3Y= +github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c/go.mod h1:/l/PzSbTOuIAtglOwUdlzzYvjIZ2WyaBpt5722JTmLY= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= diff --git a/pkg/api/api.go b/pkg/api/api.go index 2996c0d3..1d62e710 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -27,14 +27,13 @@ import ( "github.com/spf13/viper" "github.com/sigstore/sigstore/pkg/cryptoutils" - "github.com/sigstore/sigstore/pkg/signature/kms" "github.com/sigstore/timestamp-authority/pkg/log" "github.com/sigstore/timestamp-authority/pkg/signer" tsx509 "github.com/sigstore/timestamp-authority/pkg/x509" ) type API struct { - tsaSigner kms.CryptoSignerWrapper // the signer to use for timestamping + tsaSigner signer.WrappedSigner // the signer to use for timestamping certChain []*x509.Certificate // timestamping cert chain certChainPem string // PEM encoded timestamping cert chain } diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index 5c31bcd5..c1e783ab 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -46,6 +46,15 @@ type WrappedSigner interface { HashFunc() crypto.Hash } +type KMS struct { + crypto.Signer + hashFunc crypto.Hash +} + +func (k KMS) HashFunc() crypto.Hash { + return k.hashFunc +} + type Config struct { Scheme Scheme CloudKMSKey string @@ -68,8 +77,11 @@ func NewCryptoSigner(ctx context.Context, hash crypto.Hash, config Config) (Wrap if err != nil { return nil, err } - s, _, err := signer.CryptoSigner(ctx, func(err error) {}) - return s, err + s, signerOpts, err := signer.CryptoSigner(ctx, func(err error) {}) + return KMS{ + s, + signerOpts.HashFunc(), + }, err case TinkScheme: primaryKey, err := GetPrimaryKey(ctx, config.TinkKMSKey, config.HCVaultToken) if err != nil {